

**Amendments to the Claims:**

This listing of claims will replace all prior versions, and listings, of claims in the application:

**Listing of Claims:**

1. (currently amended) An apparatus comprising:

a processor executive (PE) executable on a processor to handle load an operating system executive (OSE) in a secure environment, the secure environment having a fused key (FK) and associated with an isolated memory area in a platform having the processor, the OSE to manage a subset of an operating system (OS) running on the platform, the platform having a processor capable of selectively operating in one of a normal execution mode and, alternatively, in an isolated execution mode, the isolated memory area being accessible to the processor in the isolated execution mode;

~~a PE supplement to supplement the PE with comprising a PE manifest that represents representing the PE and a PE identifier to identify the PE; and~~

~~a PE handler to handle verify the PE using the FK and the PE supplement.~~

2. (currently amended) The apparatus of claim 1 further comprises comprising:

~~a boot-up code to load the PE handler into the isolated memory area during a process of booting boot up the platform following a power-on.~~

3. (currently amended) The apparatus of claim 2 claim 1 wherein the secure environment includes an OSE supplement to supplement the OSE with comprising an OSE manifest that represents representing the OSE and an OSE identifier to identify the OSE.

4. (currently amended) The apparatus of ~~claim 3~~ claim 1 wherein the PE handler comprises:

a PE loader to load the PE and ~~the PE supplement from a PE memory~~ into the isolated memory area ~~using a parameter block provided by the boot-up code;~~

~~a PE manifest verifier to verify the PE manifest; and~~

~~a PE verifier to verify the PE using the PE manifest and a constant derived from the FK.~~

5. (currently amended) The apparatus of ~~claim 4~~ claim 1 wherein the PE handler further comprises:

a PE key generator to generate a PE key using the FK;

a PE identifier logger to log ~~the~~ a PE identifier in a storage; and

a PE entrance/exit handler to handle a PE entry and a PE exit.

6. (currently amended) The apparatus of claim 5 wherein the PE key generator comprises:

a PE key combiner to combine the PE identifier and the FK, the combined PE identifier and ~~the~~ FK corresponding to the PE key.

7. (currently amended) The apparatus of ~~claim 6~~ claim 3 wherein the PE comprises:

an OSE loader to load the OSE and the OSE supplement into the isolated memory area;

an OSE manifest verifier to verify the OSE manifest; and

an OSE verifier to verify the OSE.

8. (currently amended) The apparatus of ~~claim 7~~ claim 1 wherein the PE further comprises:

an OSE key generator to generate an OSE key;

an OSE identifier logger to log ~~the~~ an OSE identifier in a storage; and

an OSE entrance/exit handler to handle an OSE entry and an OSE exit.

9. (currently amended) The apparatus of claim 8 wherein the OSE key generator comprises:

a binding key generator to generate a binding key (BK) using ~~the a~~ PE key; and

an OSE key combiner to combine the OSE identifier and the BK, the combined OSE identifier and ~~the~~ BK corresponding to the OSE key.

10. (currently amended) The apparatus of ~~claim 9~~ claim 1 wherein the OSE comprises:

a module loader to load a module into the isolated memory area;

a page manager to manage paging in the isolated memory area; and

an interface handler to handle interface interfacing with the OS.

11. (currently amended) The apparatus of ~~claim 9~~ claim 10 wherein the module is ~~one~~ comprises one or more modules selected from the group consisting of an application module, an applet module, and a support module.

12. (currently amended) The apparatus of claim 11 wherein the OSE further comprises:

an applet key generator to generate an applet key associating associated with the applet module.

13. (currently amended) The apparatus of claim 12 wherein the applet key generator comprises:

an applet key combiner to combine ~~the an~~ OSE key with an applet identifier identifying the applet module, the combined OSE key and ~~the~~ applet identifier corresponding to the applet key.

14. (currently amended) The apparatus of ~~claim 13~~ claim 4 wherein the [[boot up]] boot-up code comprises:

a PE locator to locate the PE and the PE supplement, the PE locator transferring the PE and the PE supplement into the PE memory at a PE address;

a PE recorder to record the PE address in ~~the~~ a parameter block; and

an instruction invoker to execute an isolated create instruction, the isolated create instruction loading the PE handler into the isolated memory area.

15. (original) The apparatus of claim 14 wherein the isolated create instruction performs an atomic sequence, the atomic sequence being non-interruptible.

16. (currently amended) The apparatus of claim 15 wherein the atomic sequence includes operations comprising comprises:

~~a physical memory operation to verify if the processor is in a flat physical page mode;~~

~~an atomic read-and-increment operation to read and increment reading a thread count register in a chipset, the read-and-increment operation determining to determine~~ if the processor is the first processor in the isolated execution mode;

~~an isolated memory area control operation to configure the chipset using a configuration storage;~~

~~a processor isolated execution operation to configure configuring~~ the processor in the isolated execution mode; and

~~an PE handler loading operation to load loading~~ the PE handler into the isolated memory area.

17. (currently amended) The apparatus of ~~claim 16~~ claim 15 wherein the atomic sequence of operations further comprises:

~~a PE handler verification to verify the verifying a loaded PE handler; and~~

~~an exit operation to transfer transferring~~ control to the loaded PE handler.

18. (currently amended) The apparatus of claim 16 wherein the ~~processor isolated execution operation~~ atomic sequence of operations further comprises:

~~a chipset read operation to read the~~ reading a configuration storage in the chipset when the processor is not a ~~the~~ first processor in the isolated execution mode; and

~~a processor configuration operation to configure~~ configuring the processor according to the configuration storage in the chipset when the processor is not the first processor in the isolated execution mode.

19. (currently amended) The apparatus of claim 18 wherein the chipset includes at least one hub selected from the group consisting of a memory controller hub (MCH) and an input/output controller hub (ICH).

20. (original) The apparatus of claim 8 wherein the storage is in an input/output controller hub (ICH) external to the processor.

21. (currently amended) A method comprising:

~~handling loading an operating system executive (OSE) by a processor executive (PE) in a secure environment into an isolated memory area of a platform, the secure environment platform having a fused key (FK) and a processor capable of selectively operating in a normal execution mode and, alternatively, in an isolated execution mode associated with an isolated memory area in a platform, the OSE to manage a subset of an operating system (OS) running on the platform, the platform having a processor operating in one of a normal execution mode and an isolated execution mode, the isolated memory area being accessible to the processor in the isolated execution mode, the loading of the OSE initiated by a processor executive (PE) executing on the processor;~~

~~supplementing the PE using a PE supplement, the PE supplement having a PE manifest representing the PE and a PE identifier to identify the PE; and~~

~~handling verifying the PE by a PE handler using the FK and the a PE supplement having a PE manifest that represents the PE.~~

22. (currently amended) The method of claim 21 further ~~comprises comprising:~~

~~loading the PE handler into the isolated memory area during a process of booting up the platform by a boot up code following a power on.~~

23. (canceled)

24. (currently amended) The method of ~~claim 23~~ claim 21 wherein ~~handling the PE comprises handler performs operations comprising:~~

~~loading the PE and the PE supplement from a PE memory into the isolated memory area using a parameter block provided by the boot up code;~~

~~verifying the PE manifest; and~~

~~verifying the PE using the PE manifest and a constant derived from the FK.~~

25. (currently amended) The method of claim 24 wherein ~~handling the PE further comprises handler performs operations comprising:~~

generating a PE key using the FK;  
logging ~~the~~ a PE identifier in a storage; and  
handling a PE entry and a PE exit.

26. (currently amended) The method of claim 25 wherein generating the PE key comprises:

combining the PE identifier and the FK, the combined PE identifier and ~~the~~ FK corresponding to the PE key.

27. (currently amended) The method of claim 26 wherein ~~handling the OSE comprises claim 21, further comprising:~~

~~loading the OSE and the OSE supplement into the isolated memory area;~~  
~~verifying the OSE manifest;~~ and  
verifying the OSE after loading the OSE into the isolated memory area.

28. (currently amended) The method of claim 27 ~~claim 21~~ wherein ~~handling the OSE further comprises the operations performed by the PE comprise:~~

generating an OSE key;  
logging ~~the~~ an OSE identifier in a storage; and  
handling an OSE entry and an OSE exit.

29. (currently amended) The method of claim 28 wherein generating the OSE key comprises:

generating a binding key (BK) using the PE key; and  
combining the OSE identifier and the BK, the combined OSE identifier and ~~the~~ BK corresponding to the OSE key.

30. (currently amended) The method of claim 29 claim 21 wherein managing the OSE manages the subset of the OS by performing operations comprising comprises:

loading a module into the isolated memory area;  
managing paging in the isolated memory area; and  
~~handling interface interfacing~~ with the OS.

31. (currently amended) The method of claim 29 wherein the module ~~is one~~ comprises one or more modules selected from the group consisting of an application module, an applet module, and a support module.

32. (currently amended) The method of claim 31 wherein managing the subset of the OS the OSE performs further operations comprising comprises:

generating an applet key associating associated with the applet module.

33. (currently amended) The method of claim 32 wherein generating the applet key comprises:

combining the OSE combines the an OSE key with an applet identifier identifying the applet module, the combined OSE key and ~~the~~ the applet identifier corresponding to the applet key.

34. (currently amended) The method of claim 33 ~~wherein booting up comprises~~ claim 21, further comprising:

locating the PE and the PE supplement;  
transferring the PE and the PE supplement into the PE memory at a PE address during a process of booting the platform;  
recording the PE address in ~~the a~~ a parameter block; and  
executing an isolated create instruction during the process of booting the platform, the isolated create instruction loading the PE handler into the isolated memory area.

35. (original) The method of claim 34 wherein executing the isolated create instruction comprises performing an atomic sequence, the atomic sequence being non-interruptible.

36. (currently amended) The method of claim 35 wherein performing the atomic sequence comprises:

~~verifying if the processor is in a flat physical page mode;~~  
~~reading and incrementing a thread count register in a chipset to determine if the processor is the first processor in the isolated execution mode;~~  
~~configuring the chipset using a configuration storage;~~  
configuring the processor in the isolated execution mode; and  
loading the PE handler into the isolated memory area.

37. (currently amended) The method of ~~claim 36~~ claim 35 wherein performing the atomic sequence further comprises:

verifying ~~the a~~ loaded PE handler; and  
transferring control to the loaded PE handler.

38. (currently amended) The method of claim 36 wherein configuring the processor in the isolated execution mode comprises:

reading ~~the a~~ configuration storage in the chipset when the processor is not ~~a~~ the first processor in the isolated execution mode; and  
configuring the processor according to the configuration storage in the chipset when the processor is not the first processor in the isolated execution mode.

39. (currently amended) The method of claim 38 wherein the chipset includes at least one hub selected from the group consisting of a memory controller hub (MCH) and an input/output controller hub (ICH).

40. (original) The method of claim 28 wherein the storage is in an input/output controller hub (ICH) external to the processor.

41-60. (canceled)

61. (currently amended) A system comprising:

a processor capable of selectively operating in one of a normal execution mode and, alternatively, in an isolated execution mode;

a memory coupled to the processor having an isolated memory area accessible to the processor in the isolated execution mode; and

~~an executive subsystem comprising:~~

a processor executive (PE) executable on the processor to handle load an operating system executive (OSE) in a secure environment, the secure environment having a fused key (FK) and associated with the isolated memory, the OSE to manage a subset of an operating system (OS)[[.,.]]; and

a PE supplement residing in storage within the system, the PE supplement to supplement the PE with comprising a PE manifest that represents representing the PE and a PE identifier to identify the PE; and

a PE handler to handle verify the PE using the FK and the PE supplement.

62. (currently amended) The system of claim 61 ~~wherein the executive subsystem further comprises comprising:~~

a boot-up code to load the PE handler into the isolated memory area during a process of booting boot up the platform following a power-on.

63. (currently amended) The system of ~~claim 62~~ claim 61 wherein the secure environment includes an OSE supplement ~~to supplement the OSE with comprising~~ an OSE manifest that represents representing the OSE and an OSE identifier to identify the OSE.

64. (currently amended) The system of claim 63 claim 61 wherein the PE handler comprises:

- a PE loader to load the PE and the PE supplement from a PE memory into the isolated memory area using a parameter block provided by the boot-up code;
- a PE manifest verifier to verify the PE manifest; and
- a PE verifier to verify the PE using the PE manifest and a constant derived from the FK.

65. (currently amended) The system of claim 64 claim 61 wherein the PE handler further comprises:

- a PE key generator to generate a PE key using the FK;
- a PE identifier logger to log the a PE identifier in a storage; and
- a PE entrance/exit handler to handle a PE entry and a PE exit.

66. (currently amended) The system of claim 65 wherein the PE key generator comprises:

- a PE key combiner to combine the PE identifier and the FK, the combined PE identifier and the FK corresponding to the PE key.

67. (currently amended) The system of claim 66 claim 63 wherein the PE comprises:

- an OSE loader to load the OSE and the OSE supplement into the isolated memory area;
- an OSE manifest verifier to verify the OSE manifest; and
- an OSE verifier to verify the OSE.

68. (currently amended) The system of claim 67 claim 61 wherein the PE further comprises:

- an OSE key generator to generate an OSE key;
- an OSE identifier logger to log the an OSE identifier in a storage; and
- an OSE entrance/exit handler to handle an OSE entry and an OSE exit.

69. (currently amended) The system of claim 68 wherein the OSE key generator comprises:

a binding key generator to generate a binding key (BK) using ~~the a~~ PE key; and

an OSE key combiner to combine the OSE identifier and the BK, the combined OSE identifier and ~~the~~ BK corresponding to the OSE key.

70. (currently amended) The system of ~~claim 69~~ claim 61 wherein the OSE comprises:

a module loader to load a module into the isolated memory area;

a page manager to manage paging in the isolated memory area; and

an interface handler to handle interface interfacing with the OS.

71. (currently amended) The system of ~~claim 69~~ claim 70 wherein the module is ~~one~~ comprises one or more modules selected from the group consisting of an application module, an applet module, and a support module.

72. (currently amended) The system of claim 71 wherein the OSE further comprises:

an applet key generator to generate an applet key associating associated with the applet module.

73. (currently amended) The system of claim 72 wherein the applet key generator comprises:

an applet key combiner to combine ~~the an~~ OSE key with an applet identifier identifying the applet module, the combined OSE key and ~~the~~ applet identifier corresponding to the applet key.

74. (currently amended) The system of claim 73 claim 64 wherein the [[boot up]] boot-up code comprises:

a PE locator to locate the PE and the PE supplement, the PE locator transferring the PE and the PE supplement into the PE memory at a PE address;

a PE recorder to record the PE address in ~~the~~ a parameter block; and

an instruction invoker to execute an isolated create instruction, the isolated create instruction loading the PE handler into the isolated memory area.

75. (original) The system of claim 74 wherein the isolated create instruction performs an atomic sequence, the atomic sequence being non-interruptible.

76. (currently amended) The system of claim 75 wherein the atomic sequence includes operations comprising comprises:

~~a physical memory operation to verify if the processor is in a flat physical page mode;~~

~~an atomic read and increment operation to read and increment reading a thread count register in a chipset, the read and increment operation determining to determine~~ if the processor is the first processor in the isolated execution mode;

~~an isolated memory area control operation to configure the chipset using a configuration storage;~~

~~a processor isolated execution operation to configure configuring the processor in the isolated execution mode; and~~

~~an PE handler loading operation to load loading the PE handler into the isolated memory area.~~

77. (currently amended) The system of claim 76 claim 75 wherein the atomic sequence of operations further comprises:

~~a PE handler verification to verify the verifying a loaded PE handler; and~~

~~an exit operation to transfer transferring control to the loaded PE handler.~~

78. (currently amended) The system of claim 76 wherein the ~~processor-isolated execution operation atomic sequence of operations further comprises:~~

~~a chipset read operation to read the reading a configuration storage in the chipset when the processor is not a the first processor in the isolated execution mode; and~~

~~a processor configuration operation to configure configuring the processor according to the configuration storage in the chipset when the processor is not the first processor in the isolated execution mode.~~

79. (currently amended) The system of claim 78 wherein the chipset includes at least one hub selected from the group consisting of a memory controller hub (MCH) and an input/output controller hub (ICH).

80. (original) The system of claim 68 wherein the storage is in an input/output controller hub (ICH) external to the processor.

81. (new) An apparatus comprising:

a machine accessible medium; and  
instructions encoded in the machine accessible medium, wherein the instructions, when executed in a platform, cause the platform to perform operations comprising:

loading an operating system executive (OSE) into an isolated memory area of a platform, the platform having a fused key (FK) and a processor capable of selectively operating in a normal execution mode and, alternatively, in an isolated execution mode, the OSE to manage a subset of an operating system (OS) running on the platform, the isolated memory area being accessible to the processor in the isolated execution mode, the loading of the OSE initiated by a processor executive (PE) executing on the processor; and

verifying the PE using the FK and a PE supplement having a PE manifest that represents the PE.

82. (new) An apparatus according to claim 81, wherein the instructions implement boot-up code that performs operations comprising:

loading the PE handler into the isolated memory area during a process of booting up the platform.

83. (new) An apparatus according to claim 81, wherein the instructions implement a PE handler that performs operations comprising:

loading the PE into the isolated memory area; and  
verifying the PE manifest using the PE manifest.

84. (new) An apparatus according to claim 81, wherein the instructions implement a PE handler that performs operations comprising:

generating a PE key using the FK;  
logging a PE identifier in a storage; and  
handling a PE entry and a PE exit.

85. (new) An apparatus according to claim 84, wherein the PE handler generates the PE key based at least in part on a combination of the PE identifier and the FK.

86. (new) An apparatus according to claim 81, wherein the instructions cause the platform to verify the OSE after loading the OSE into the isolated memory area.

87. (new) An apparatus according to claim 81, wherein the instructions implement the PE, and the operations performed by the PE comprise:

generating an OSE key;  
logging an OSE identifier in a storage; and  
handling an OSE entry and an OSE exit.

88. (new) An apparatus according to claim 87, wherein the PE stores the OSE identifier in an input/output controller hub (ICH) external to the processor.

89. (new) An apparatus according to claim 81, wherein the instructions cause the platform to perform operations comprising:

generating a binding key (BK) using the PE key; and  
generating the OSE key based at least in part on a combination of the OSE identifier and the BK.

90. (new) An apparatus according to claim 81, wherein the instructions implement the OSE, and the OSE manages the subset of the OS by performing operations comprising:

loading a module into the isolated memory area;  
managing paging in the isolated memory area; and  
interfacing with the OS.

91. (new) An apparatus according to claim 90, wherein the module loaded by the OSE comprises one or more modules selected from the group consisting of an application module, an applet module, and a support module.

92. (new) An apparatus according to claim 91 wherein the OSE performs further operations comprising:

generating an applet key associated with the applet module.

93. (new) An apparatus according to claim 92, wherein the OSE generates the applet key based at least in part on a combination of an OSE key with an applet identifier identifying the applet module.

94. (new) An apparatus according to claim 81, wherein the instructions cause the platform to perform operations comprising:

locating the PE and the PE supplement;  
transferring the PE and the PE supplement into the PE memory at a PE address during a process of booting the platform;

recording the PE address in a parameter block; and  
executing an isolated create instruction during the process of booting the platform, the isolated create instruction loading the PE handler into the isolated memory area.

95. (new) An apparatus according to claim 94, wherein executing the isolated create instruction comprises performing an atomic sequence, the atomic sequence being non-interruptible.

96. (new) An apparatus according to claim 95, wherein performing the atomic sequence comprises:

reading a thread count register in a chipset to determine if the processor is the first processor in the isolated execution mode;  
configuring the processor in the isolated execution mode; and  
loading the PE handler into the isolated memory area.

97. (new) An apparatus according to claim 95, wherein performing the atomic sequence comprises:

verifying a loaded PE handler; and  
transferring control to the loaded PE handler.

98. (new) An apparatus according to claim 95, wherein configuring the processor in the isolated execution mode comprises:

reading a configuration storage in the chipset when the processor is not the first processor in the isolated execution mode; and  
configuring the processor according to the configuration storage in the chipset when the processor is not the first processor in the isolated execution mode.

99. (new) An apparatus according to claim 95, wherein the chipset includes at least one hub selected from the group consisting of a memory controller hub (MCH) and an input/output controller hub (ICH).